Post navigation

Facebook is probably the biggest database of photographs ever compiled.

We upload around 350 million photos to the world’s most popular social network every day. Facebook users aren’t quite as busy sharing photos as the kids who use Snapchat or WhatsApp but they’re not far off, and they’ve been doing it a lot longer.

In a beautiful and terrifying illustration of the vast asymmetries that the internet can create, security researcher Laxman Muthiyah has revealed how he discovered he had the power to delete billions of images. If he was allowed to see it, he was allowed to delete it.

Thankfully for Facebook’s 1.3 billion users Laxman’s moral compass was in fine working order that day. He reported the bug to Facebook as soon as he found it, netting himself a cool $12,500 USD bug bounty in return.

Facebook’s response was swift – to its great credit the bug was fixed across its vast network within 2 hours.

OMG 😀 the album got deleted! So i got the key to delete all of your Facebook photos 😛 lol 😀
Immediately reported this bug to Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgement of the report.

And let’s be absolutely clear, Laxman had options.

The bug he discovered is a weapon. It wouldn’t have killed anyone but it could have caused misery to to millions.

Laxman could probably have sold that bug to somebody other than Facebook and earned a great deal more money than he got for doing the Right Thing.

Or he could have milked it; kept his discovery under wraps (giving somebody less upstanding a chance to find it), engaged a PR firm and given it a fancy name.

You might think that pulling off something like this requires genius and technology on an equally epic scale.

Not a bit of it.

In theory you could do it with a few lines of code and a phone or a Raspberry Pi. Hell, the code would probably run on a digital watch.

In practice Facebook probably operates rate limiting or other countermeasures that would prevent a single device from doing too much harm – and even if it doesn’t, the social network is so large an attacker would probably struggle to delete albums as fast as people on Facebook create new ones.

But that’s just a question of horsepower, and horsepower is easy on the internet – there are kids running botnets of 60,000 computers.

Facebook album IDs are numeric, which means that guessing them is easy – you start with 1 and just keep going up.

So wrap that 4 line request in a loop and increment the ID from one to a trillion and you’ve got yourself a micro-David to take on Facebook’s photographic mega-Goliath.

Update 2015-02-12

Facebook got in touch, keen to explain that this bug only applies to photo albums that the attacker has permission to view which, to all practical purposes, means photo albums that are public.

Your Cover Photos and Profile Pictures albums are public by default, for instance.

Taking out those albums alone, never mind any other public albums, would still amount to a hugely damaging attack but in light of this information we’ve changed the original headline and two sentences in the article to better reflect the nature of the bug.

Facebook’s spokesperson said:

We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims. To be clear, triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album's privacy settings. We’d like to thank the researcher who reported the issue to us through our bug bounty program.

Nice headline. One man could have deleted every ‘photo’ on Facebook. Meanwhile, your story is about someone using FB’s API to delete ‘albums’ by ‘guessing’ albums’ IDs. This is the kind of ‘journalism’ that got Brian Williams in toruble!

completely valid headline. the albums are in sequential order so it would be quite simple to write the code to delete them. there is no randomization whatsoever….you have no understanding of how simple this would have been.

Photos are presented to users in albums, which is why I went with that headline. Every photo that’s uploaded is part of an album (e.g. Instagram, Mobile Uploads etc) even if you don’t put it in one.

I’m sure that in the back end they’re stored as a multitude of redundant binary blobs in something like a giant Hadoop database – photos and photo albums are probably very, very difficult to delete completely.

And yes, guessing is a bona fide part of many attacks. You get spam to gmail accounts nobody knows about because spammers guess email addresses. Password cracking is the art of making good guesses.

That’s a pretty rookie mistake by Facebook. I’m surprised they let something that big slip through the cracks. I would expect QA might have addressed that particular test case already. Also, didn’t they test these REST endpoints? The first test I would have done would have been to send in bogus album id’s (well maybe test a bogus token first).

Given how much Facebook relaies on the information its users so willingly provide to keep up its revenue stream, it’s no wonder they hopped to it and fixed the bug ASAP. Keep the cattle happy and well fed and they will provide much meat and milk.

Should have been a pretty simple fix: just apply the same checks to the android certs that they do to other validation methods. All the actual logic was in place; they likely just needed to fix a line of code that was still using a test library where it should have been using the deployment library.

What amazed me isn’t that they fixed it quickly, it’s how quickly they realised they needed to fix it quickly.

I bet their triage team spend days wading through false positives and insignificant bugs.

To go from being informed, to making a decision, to getting it in the hands of the right person, them not being on lunch, fixing it, testing it and then deploying across their enormous infrastructure in two hours is staggering.

Even if 99.9% of that time was spent in bureaucracy it’s still lean as hell.

All of you are assuming FB have backup and can restore easily. That is not really the case. Which one they want to restore? How do you know the deleted one is done by bad guy? How far you go back when you are restoring?

Not that I want to be picky but I think I found two typos:
1- I think it should read “Update 2015-02-12”, unless the article is this year’s and the update was made last year.
2- In the same update section, you have a double “but” in the 3rd paragraph.

Some people get paid for finding bugs and others don’t. I found security flaws with photos which made the privacy setting useless anytime a user shared any photo from any album. I was able to get in a backdoor to all of the albums by opening the photo of one album.

Facebook fixed that flaw and many others I pointed out a long time ago, but acted like they didn’t understand what I was saying the one and only time they ever wrote back to me about all of the messages I sent them.

And, back then, it was really hard to figure out how to even contact anyone working at Facebook.

I used to be a programmer and tested software, also, in the past. So, it was almost an addiction for me to try to see how well things worked on any particular site I used regularly just as I did all the time before the internet came along.

But, FB didn’t even acknowledge me for finding the flaws in their security. I didn’t expect them to, at that time, but later when I started hearing that they were paying others to find less serious flaws on a regular basis, I was a bit annoyed, to say the least, that I didn’t even get a thank you.